bitrat | db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

Analysis

max time kernel
357s
max time network
360s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2022 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

827615424_PDF_parsed.exe
Size

1.5MB
MD5

cd33f6e84ebfe15dab41be1319122907
SHA1

bff44bfcd5d534a2ce2ea8cab944391e7f55abc1
SHA256

db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a
SHA512

6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b
SSDEEP

49152:Vnm4UcmDYIbFaTI39LMK44bFh1DgtJaJk4UUUUUJUUUUUU:x6blbku9Le4bFhuO1UUUUUJUUUUUU

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bitone9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 6 IoCs

Processes:

jkgtr.exejkgtr.exejkgtr.exejkgtr.exejkgtr.exejkgtr.exe

pid process

3184 jkgtr.exe
4404 jkgtr.exe
60 jkgtr.exe
4604 jkgtr.exe
4156 jkgtr.exe
4468 jkgtr.exe

pid	process
3184	jkgtr.exe
4404	jkgtr.exe
60	jkgtr.exe
4604	jkgtr.exe
4156	jkgtr.exe
4468	jkgtr.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4200-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4200-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4200-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4200-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4200-142-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4200-147-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2348-153-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx
behavioral2/memory/2348-154-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx
behavioral2/memory/4304-164-0x00000000009C0000-0x0000000000DA4000-memory.dmp	upx
behavioral2/memory/4304-165-0x00000000009C0000-0x0000000000DA4000-memory.dmp	upx
behavioral2/memory/4440-175-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4472-185-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4472-186-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4072-193-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/4072-194-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/4072-195-0x0000000000500000-0x00000000008E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

pid process

4200 RegAsm.exe
4200 RegAsm.exe
4200 RegAsm.exe
4200 RegAsm.exe
4200 RegAsm.exe
4440 RegAsm.exe
4472 RegAsm.exe

pid	process
4200	RegAsm.exe
4200	RegAsm.exe
4200	RegAsm.exe
4200	RegAsm.exe
4200	RegAsm.exe
4440	RegAsm.exe
4472	RegAsm.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

827615424_PDF_parsed.exejkgtr.exejkgtr.exejkgtr.exejkgtr.exejkgtr.exe

description	pid	process	target process
PID 4872 set thread context of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 3184 set thread context of 2348	3184	jkgtr.exe	RegAsm.exe
PID 4404 set thread context of 4304	4404	jkgtr.exe	RegAsm.exe
PID 60 set thread context of 4440	60	jkgtr.exe	RegAsm.exe
PID 4604 set thread context of 4472	4604	jkgtr.exe	RegAsm.exe
PID 4156 set thread context of 4072	4156	jkgtr.exe	RegAsm.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2768 2348 WerFault.exe RegAsm.exe
1620 4304 WerFault.exe RegAsm.exe
1400 4072 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

448 schtasks.exe
3008 schtasks.exe
4224 schtasks.exe
4580 schtasks.exe
2600 schtasks.exe
3924 schtasks.exe
NTFS ADS 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Users\Admin\AppData\Local:27-10-2022 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

description pid process

Token: SeShutdownPrivilege 4200 RegAsm.exe
Token: SeShutdownPrivilege 4440 RegAsm.exe
Token: SeShutdownPrivilege 4472 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

4200 RegAsm.exe
4200 RegAsm.exe

pid	pid_target	process	target process
2768	2348	WerFault.exe	RegAsm.exe
1620	4304	WerFault.exe	RegAsm.exe
1400	4072	WerFault.exe	RegAsm.exe

pid	process
448	schtasks.exe
3008	schtasks.exe
4224	schtasks.exe
4580	schtasks.exe
2600	schtasks.exe
3924	schtasks.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:27-10-2022	RegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	4200	RegAsm.exe
Token: SeShutdownPrivilege	4440	RegAsm.exe
Token: SeShutdownPrivilege	4472	RegAsm.exe

pid	process
4200	RegAsm.exe
4200	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

827615424_PDF_parsed.execmd.exejkgtr.execmd.exejkgtr.execmd.exejkgtr.execmd.exe

description	pid	process	target process
PID 4872 wrote to memory of 3012	4872	827615424_PDF_parsed.exe	cmd.exe
PID 4872 wrote to memory of 3012	4872	827615424_PDF_parsed.exe	cmd.exe
PID 4872 wrote to memory of 3012	4872	827615424_PDF_parsed.exe	cmd.exe
PID 3012 wrote to memory of 448	3012	cmd.exe	schtasks.exe
PID 3012 wrote to memory of 448	3012	cmd.exe	schtasks.exe
PID 3012 wrote to memory of 448	3012	cmd.exe	schtasks.exe
PID 4872 wrote to memory of 632	4872	827615424_PDF_parsed.exe	cmd.exe
PID 4872 wrote to memory of 632	4872	827615424_PDF_parsed.exe	cmd.exe
PID 4872 wrote to memory of 632	4872	827615424_PDF_parsed.exe	cmd.exe
PID 4872 wrote to memory of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 4872 wrote to memory of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 4872 wrote to memory of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 4872 wrote to memory of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 4872 wrote to memory of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 4872 wrote to memory of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 4872 wrote to memory of 4200	4872	827615424_PDF_parsed.exe	RegAsm.exe
PID 3184 wrote to memory of 4596	3184	jkgtr.exe	cmd.exe
PID 3184 wrote to memory of 4596	3184	jkgtr.exe	cmd.exe
PID 3184 wrote to memory of 4596	3184	jkgtr.exe	cmd.exe
PID 4596 wrote to memory of 3008	4596	cmd.exe	schtasks.exe
PID 4596 wrote to memory of 3008	4596	cmd.exe	schtasks.exe
PID 4596 wrote to memory of 3008	4596	cmd.exe	schtasks.exe
PID 3184 wrote to memory of 4888	3184	jkgtr.exe	cmd.exe
PID 3184 wrote to memory of 4888	3184	jkgtr.exe	cmd.exe
PID 3184 wrote to memory of 4888	3184	jkgtr.exe	cmd.exe
PID 3184 wrote to memory of 2348	3184	jkgtr.exe	RegAsm.exe
PID 3184 wrote to memory of 2348	3184	jkgtr.exe	RegAsm.exe
PID 3184 wrote to memory of 2348	3184	jkgtr.exe	RegAsm.exe
PID 3184 wrote to memory of 2348	3184	jkgtr.exe	RegAsm.exe
PID 3184 wrote to memory of 2348	3184	jkgtr.exe	RegAsm.exe
PID 3184 wrote to memory of 2348	3184	jkgtr.exe	RegAsm.exe
PID 3184 wrote to memory of 2348	3184	jkgtr.exe	RegAsm.exe
PID 4404 wrote to memory of 1704	4404	jkgtr.exe	cmd.exe
PID 4404 wrote to memory of 1704	4404	jkgtr.exe	cmd.exe
PID 4404 wrote to memory of 1704	4404	jkgtr.exe	cmd.exe
PID 1704 wrote to memory of 4224	1704	cmd.exe	schtasks.exe
PID 1704 wrote to memory of 4224	1704	cmd.exe	schtasks.exe
PID 1704 wrote to memory of 4224	1704	cmd.exe	schtasks.exe
PID 4404 wrote to memory of 3664	4404	jkgtr.exe	cmd.exe
PID 4404 wrote to memory of 3664	4404	jkgtr.exe	cmd.exe
PID 4404 wrote to memory of 3664	4404	jkgtr.exe	cmd.exe
PID 4404 wrote to memory of 4304	4404	jkgtr.exe	RegAsm.exe
PID 4404 wrote to memory of 4304	4404	jkgtr.exe	RegAsm.exe
PID 4404 wrote to memory of 4304	4404	jkgtr.exe	RegAsm.exe
PID 4404 wrote to memory of 4304	4404	jkgtr.exe	RegAsm.exe
PID 4404 wrote to memory of 4304	4404	jkgtr.exe	RegAsm.exe
PID 4404 wrote to memory of 4304	4404	jkgtr.exe	RegAsm.exe
PID 4404 wrote to memory of 4304	4404	jkgtr.exe	RegAsm.exe
PID 60 wrote to memory of 3208	60	jkgtr.exe	cmd.exe
PID 60 wrote to memory of 3208	60	jkgtr.exe	cmd.exe
PID 60 wrote to memory of 3208	60	jkgtr.exe	cmd.exe
PID 3208 wrote to memory of 4580	3208	cmd.exe	schtasks.exe
PID 3208 wrote to memory of 4580	3208	cmd.exe	schtasks.exe
PID 3208 wrote to memory of 4580	3208	cmd.exe	schtasks.exe
PID 60 wrote to memory of 3584	60	jkgtr.exe	cmd.exe
PID 60 wrote to memory of 3584	60	jkgtr.exe	cmd.exe
PID 60 wrote to memory of 3584	60	jkgtr.exe	cmd.exe
PID 60 wrote to memory of 4440	60	jkgtr.exe	RegAsm.exe
PID 60 wrote to memory of 4440	60	jkgtr.exe	RegAsm.exe
PID 60 wrote to memory of 4440	60	jkgtr.exe	RegAsm.exe
PID 60 wrote to memory of 4440	60	jkgtr.exe	RegAsm.exe
PID 60 wrote to memory of 4440	60	jkgtr.exe	RegAsm.exe
PID 60 wrote to memory of 4440	60	jkgtr.exe	RegAsm.exe
PID 60 wrote to memory of 4440	60	jkgtr.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe
"C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:448

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3008

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 540
3⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2348 -ip 2348
1⤵
PID:4740

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4224

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 540
3⤵
- Program crash
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4304 -ip 4304
1⤵
PID:2344

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4580

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4604

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
PID:3540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4156

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
PID:4684

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3924

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 540
3⤵
- Program crash
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4072 -ip 4072
1⤵
PID:372

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jkgtr.exe.log

Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
memory/448-134-0x0000000000000000-mapping.dmp

Download
memory/632-136-0x0000000000000000-mapping.dmp

Download
memory/1496-190-0x0000000000000000-mapping.dmp

Download
memory/1576-179-0x0000000000000000-mapping.dmp

Download
memory/1704-159-0x0000000000000000-mapping.dmp

Download
memory/2348-154-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/2348-151-0x0000000000000000-mapping.dmp

Download
memory/2348-153-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/2600-178-0x0000000000000000-mapping.dmp

Download
memory/3008-149-0x0000000000000000-mapping.dmp

Download
memory/3012-133-0x0000000000000000-mapping.dmp

Download
memory/3208-167-0x0000000000000000-mapping.dmp

Download
memory/3540-177-0x0000000000000000-mapping.dmp

Download
memory/3584-169-0x0000000000000000-mapping.dmp

Download
memory/3664-161-0x0000000000000000-mapping.dmp

Download
memory/3924-189-0x0000000000000000-mapping.dmp

Download
memory/4072-191-0x0000000000000000-mapping.dmp

Download
memory/4072-193-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/4072-194-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/4072-195-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/4200-145-0x0000000074400000-0x0000000074439000-memory.dmp

Filesize
228KB

Download
memory/4200-146-0x00000000717B0000-0x00000000717E9000-memory.dmp

Filesize
228KB

Download
memory/4200-137-0x0000000000000000-mapping.dmp

Download
memory/4200-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4200-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4200-158-0x00000000717B0000-0x00000000717E9000-memory.dmp

Filesize
228KB

Download
memory/4200-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4200-157-0x0000000074400000-0x0000000074439000-memory.dmp

Filesize
228KB

Download
memory/4200-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4200-142-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4200-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4224-160-0x0000000000000000-mapping.dmp

Download
memory/4304-164-0x00000000009C0000-0x0000000000DA4000-memory.dmp

Filesize
3.9MB

Download
memory/4304-162-0x0000000000000000-mapping.dmp

Download
memory/4304-165-0x00000000009C0000-0x0000000000DA4000-memory.dmp

Filesize
3.9MB

Download
memory/4440-175-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4440-170-0x0000000000000000-mapping.dmp

Download
memory/4472-180-0x0000000000000000-mapping.dmp

Download
memory/4472-186-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4472-185-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4580-168-0x0000000000000000-mapping.dmp

Download
memory/4596-148-0x0000000000000000-mapping.dmp

Download
memory/4684-188-0x0000000000000000-mapping.dmp

Download
memory/4872-132-0x0000000000310000-0x000000000049C000-memory.dmp

Filesize
1.5MB

Download
memory/4872-135-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/4888-150-0x0000000000000000-mapping.dmp

Download